Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
73
GitHub Actions
53
Go
4,004
Maven
5,000+
npm
5,000+
NuGet
974
pip
5,000+
Pub
13
RubyGems
1,069
Rust
1,395
Swift
61
Unreviewed advisories
All unreviewed
5,000+

608 advisories

Loading
CodeIgniter4 has a validation bypass when uploading file extensions via `ext_in` rule Critical
CVE-2026-48062 was published for codeigniter4/framework (Composer) Jun 11, 2026
z3moo Credited to z3moo and teebow1e teebow1e teebow1e
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter Critical
CVE-2026-48030 was published for pheditor/pheditor (Composer) Jun 9, 2026
muslimbek-0x Credited to muslimbek-0x
PHPSpreadsheet has a patch bypass for CVE-2026-34084 Critical
CVE-2026-45034 was published for phpoffice/phpspreadsheet (Composer) Jun 8, 2026
everping Credited to everping
Shopper: Authorization bypass and RBAC privilege escalation in team settings Critical
CVE-2026-47744 was published for shopper/framework (Composer) Jun 5, 2026
baradika Credited to baradika
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin Critical
GHSA-8whc-2wmv-ww35 was published for WWBN/AVideo (Composer) Jun 4, 2026
arkmarta Credited to arkmarta
YesWiki: Unauthenticated SQL Injection Critical
CVE-2026-46670 was published for yeswiki/yeswiki (Composer) May 22, 2026
SamyGhannad Credited to SamyGhannad
Twig: PHP code injection via `{% use %}` template name Critical
CVE-2026-46633 was published for twig/twig (Composer) May 21, 2026
Formie: Pre-authenticated server-side template injection in Hidden fields Critical
CVE-2026-45697 was published for verbb/formie (Composer) May 18, 2026
pwnsauc3 Credited to pwnsauc3
Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
GHSA-ch9q-c9mp-j5gq was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
Duplicate Advisory: phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
GHSA-6626-79jh-5ccr was published for phpmyfaq/phpmyfaq (Composer) May 15, 2026 withdrawn
torrentpier has PHP Serialize Injections Critical
GHSA-h29g-c9cx-c73q was published for torrentpier/torrentpier (Composer) May 11, 2026
PhpSecure Credited to PhpSecure
Snipe-IT has insecure permissions in file uploads Critical
CVE-2026-37709 was published for snipe/snipe-it (Composer) May 8, 2026
0xAspros Credited to 0xAspros
PrestaShop has a stored XSS executable in customer service view Critical
CVE-2026-44212 was published for prestashop/prestashop (Composer) May 8, 2026
Compromised tag of intercom-php published via GitHub Critical
GHSA-gr3r-crp5-qrrm was published for intercom/intercom-php (Composer) May 7, 2026
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha Critical
CVE-2026-46364 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id Critical
CVE-2026-45010 was published for phpmyfaq/phpmyfaq (Composer) May 6, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules Critical
CVE-2026-44262 was published for dedoc/scramble (Composer) May 6, 2026
FORIMOC Credited to FORIMOC
Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass Critical
GHSA-vj3m-2g9h-vm4p was published for getgrav/grav (Composer) May 5, 2026
Proscan-one Credited to Proscan-one
Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access Critical
CVE-2026-42613 was published for getgrav/grav (Composer) May 5, 2026
Baikuya Credited to Baikuya
Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature Critical
CVE-2026-42607 was published for getgrav/grav (Composer) May 5, 2026
akgul7990 Credited to akgul7990
Magento LTS has Weak API Session ID — Predictable MD5 of Time-Derived Inputs Critical
CVE-2026-42155 was published for openmage/magento-lts (Composer) May 5, 2026
0x0OZ Credited to 0x0OZ
phpVMS has an /importer authorization bypass causing full database wipe Critical
CVE-2026-42569 was published for nabeel/phpvms (Composer) May 4, 2026
peter-bosch Credited to peter-bosch
PhpSpreadsheet has SSRF/RCE in IOFactory::load when $filename is user controlled Critical
CVE-2026-34084 was published for phpoffice/phpspreadsheet (Composer) Apr 29, 2026
calligraf0 Credited to calligraf0
Cockpit is vulnerable to arbitrary code execution Critical
CVE-2026-38992 was published for cockpit-hq/cockpit (Composer) Apr 29, 2026
CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE Critical
CVE-2026-41203 was published for ci4-cms-erp/ci4ms (Composer) Apr 22, 2026
fg0x0 Credited to fg0x0
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database